Context Navigation

← Previous Ticket
Next Ticket →

#36546 assigned Cleanup/optimization

Deprecate django.utils.crypto.constant_time_compare()

Reported by:	Tim Graham	Owned by:
Component:	Utilities	Version:	dev
Severity:	Normal	Keywords:
Cc:	JaeHyuckSa	Triage Stage:	Someday/Maybe
Has patch:	no	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	no
Easy pickings:	no	UI/UX:	no

Description

Historically it was a bespoke implementation (added in 45c7f427ce830dd1b2f636fb9c244fda9201cadb) before the stdlib implementation was preferred (58176dee88ac7c1038c7f685af023e634b143d02). Now it's just alias of secrets.compare_digest (which itself is an alias of hmac.compare_digest, which was used before 1d0bab0bfd77edcf1228d45bf654457a8ff1890d).

constant_time_compare() does call force_bytes() on its arguments but this was a workaround for Python 2.7 (7e3cf3cfd27e53ced0a1fc65a02849f78a292d3d) and no tests in Django's test suite fail with those calls removed.

Change History (15)

comment:1 by suhail vs, 2 months ago

what about adding a warning in function constant_time_compare in file django.utils.crypto.py

import warnings
from django.utils.deprecation import RemovedInNextVersionWarning

def constant_time_compare(val1, val2):
    """Return True if the two strings are equal, False otherwise."""
    warnings.warn(
        "constant_time_compare(val1, val2) is deprecated and will be removed in Django 6.0. "
        "`import secrets` from python standard library, then run secrets.compare_digest(val1,val2) instead.",
        RemovedInNextVersionWarning,
        stacklevel=2
    )
    return secrets.compare_digest(force_bytes(val1), force_bytes(val2))

comment:2 by Sarah Boyce, 2 months ago

Triage Stage:	Unreviewed → Accepted

comment:3 by JaeHyuckSa, 2 months ago

Owner:	set to JaeHyuckSa
Status:	new → assigned

comment:4 by JaeHyuckSa, 2 months ago

Has patch:	set

comment:5 by JaeHyuckSa, 2 months ago

Patch needs improvement:	set

comment:6 by JaeHyuckSa, 2 months ago

Patch needs improvement:	unset

comment:7 by Sarah Boyce, 2 months ago

Patch needs improvement:	set

comment:8 by JaeHyuckSa, 2 months ago

Patch needs improvement:	unset

comment:9 by Sarah Boyce, 2 months ago

Triage Stage:	Accepted → Ready for checkin

comment:10 by Sarah Boyce <42296566+sarahboyce@…>, 2 months ago

Resolution:	→ fixed
Status:	assigned → closed

In 0246f47:

Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest().

Signed-off-by: SaJH <wogur981208@…>

comment:11 by Sarah Boyce <42296566+sarahboyce@…>, 2 months ago

In d0e4dd5c:

Fixed #36572 -- Revert "Fixed #36546 -- Deprecated django.utils.crypto.constant_time_compare() in favor of hmac.compare_digest()."

This reverts commit 0246f478882c26bc1fe293224653074cd46a90d0.

comment:12 by Sarah Boyce, 2 months ago

Has patch:	unset
Resolution:	fixed
Status:	closed → new
Triage Stage:	Ready for checkin → Someday/Maybe

Reopening following revert. See discussion in #36572

A later first step could be to replace internal usage of constant_time_compare() with compare_digest()

The deprecation itself needs more consideration

comment:13 by JaeHyuckSa, 2 months ago

There are quite a few points that need further discussion, so it’s difficult to move this forward right now. I’ll unassign myself for the time being

comment:14 by JaeHyuckSa, 2 months ago

Owner:	JaeHyuckSa removed
Status:	new → assigned

comment:15 by JaeHyuckSa, 2 months ago

Cc:	JaeHyuckSa added

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues